Travelex customers ‘thousands of pounds out of pocket’

travelexImage copyright Getty Images

Customers of Travelex say they feel let down after being left with no travel money from the company which is in the midst of a cyber attack.

On Tuesday the foreign currency trader confirmed that it is the victim of an ongoing ransomware attack.

The criminals behind the hack told the BBC they are demanding $6m (£4.6m) or company computer systems will be deleted and customer data sold online.

Travelex says that there is no evidence customer data has been compromised.

In response to the cyber attack, which was first discovered on New Year’s Eve, Travelex took all computer systems offline, affecting thousands of sites in dozens of countries.

Cashiers have been resorting to using pen and paper to keep money moving at cash desks in airports and on high streets but orders online have been affected.

Image copyright Natalie Whiting
Image caption Natalie Whiting from Stevenage hasn’t received her euros

Business partners which rely on Travelex for currency services, like Sainsbury’s, Tesco and Virgin Money have also been affected.

Natalie Whiting from Stevenage has had no way to collect the £1000 worth of euros that she ordered online through Tesco.

“I ordered over £1000 of euros from Tesco bank online for collection in my local Tesco store on the 31st December, ready to be collected on the 3rd January,” she told the BBC

“The money was taken from my account and an order confirmation was sent to me but when I went to Tesco to collect my euros last Friday to be told of the Travelex issue.

Computers offline

“I haven’t been able to get a refund of my money, it just seems to be in limbo.”

“I am now £1000 out of pocket after saving up for so long and there’s no information or help.”

Travelex confirmed to the BBC that no direct communication has been sent to customers about the attack, partly because all the computer systems are offline.

Visitors to the Travelex UK website are told that the site is down for ‘planned maintenance’ and partner sites like Sainsbury’s travel money have similar messages.

Image copyright Stephen Wright
Image caption Stephen Wright, from Banff in North East Scotland had to buy currency elsewhere

Stephen Wright, from Banff in North East Scotland, is also furious with the way the company is handling the incident.

He said: “I ordered Euros on 23rd December from Tesco bank. Delivery was due on 3rd January but obviously, due to the problem with Travelex, nothing has yet arrived.”

“There has been no communication from Tesco bank, so I called them. They simply say there is nothing they can do, that I must just wait until the problem is rectified, whenever that will be.”

“I have been forced to purchase more Euros elsewhere leaving me considerably out of pocket.”

No ICO report

A ransomware gang called Sodinokibi carried out the attack.

The gang, also known as REvil, claims it first gained access to the company’s computer network six months ago and has since downloaded 5 gigabytes of sensitive customer data.

Dates of birth, credit card information and national insurance numbers are all in their possession, they claim.

However, a Travelex spokeswoman said on Tuesday night in a statement: “Whilst the investigation is still ongoing, Travelex has confirmed that the software virus is ransomware known as Sodinokibi, also commonly referred to as REvil.”

“Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful. To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted.

“Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated.”

The Information Commissioner’s Office (ICO) said it had not received a data breach report from Travelex.

A spokeswoman added: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms.

“If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary.”

Under General Data Protection Regulation, a company which fails to comply can face a maximum fine of 4% of its global turnover.

The Metropolitan Police says it’s Cyber Crime team is leading the investigation into the attack.

Travelex has not said whether or not they are negotiating with the hackers and have not given any timeframe for when normal service will resume.,


As an Amazon Associate I earn from qualifying purchases.


Leave a Reply

Your email address will not be published. Required fields are marked *